Encryption apparatus and method, and decryption apparatus and method based on block encryption

ABSTRACT

An encryption apparatus for block data, comprises a first processing unit randomizing the block data in units of first portions obtained by dividing the block data, and a second processing unit diffusing the block data output from the first processing unit with respect to a second portion of the block data which is wider than the first portion. The first processing unit comprises first nonlinear processing units nonlinearly transforming the block data in units of the first portions. The second processing unit comprises a first linear diffusion processing unit linearly diffusing the second portion of the block data. At least one of the first nonlinear processing units comprises second nonlinear processing units nonlinearly transforming the block data in units of the first portions, and a second linear diffusion processing unit linearly diffusing the second portion of the block data.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application is based upon and claims the benefit of priorityfrom the prior Japanese Patent Applications No. 2000-060482, filed Mar.6, 2000; and No. 2000-210484, filed Jul. 11, 2000, the entire contentsof both of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

[0002] The present invention relates to an encryption apparatus andmethod, and a decryption apparatus and method based on block encryptionscheme, and an operating unit used in the encryption and decryptionapparatuses.

[0003] Typical fundamental structures of common key block encryptionscheme include SPN type and Feistel type. For both structures, a designmethod for improving strength evaluation and resiliency againstdifferential/linear cryptanalysis have been studied (reference [1] V.Rijmen, J. Daemen, B. Preneel, A. Bosselaers & E. Dcwin, “The CipherSHARK,” Fast Software Encryption, LNCS 1039, 1996, reference [2]Kazumaro Aoki, Kazuo Ota, “More Strict Evaluation of Maximum MeanDifferential Probability and Maximum Mean Linear Probability,” SCIS96-4A, 1996, reference [3], Mitsuru Matsui, “Block encryption schemeMISTY,” ISEC 96-11, 1996).

[0004] With the SPN structure, since the number of active S-boxes can beguaranteed, the number of stages for achieving the set strength can beeasily determined (reference [1]). However, when the block sizeincreases, and the parallelness of S-boxes becomes high, the process ofdiffusion layers becomes complicated, resulting in low speed.

[0005] SQUARE/Rijndael Cipher can solve this problem (reference [4] J.Daemen, L. R. Knudsen & V. Rijmen, “The Block encryption scheme Square,”Fast Software Encryption, LNCS 1267, 1997, reference [5] J. Daemen & V.Rijmen, “AES Proposal: Rijndael,” http://www.east.kuleuven.ac.be/{tildeover ()}rijmen/rijdael/rijndaeldocV2.zip).

[0006] In cipher of this type, 16 parallel S-boxes are arranged in a 4×4matrix to limit linear diffusion within a single column, thus reducingthe processing load. By combining rearrangement of byte positions withlinear diffusion, the influence of one byte in a given stage is diffusedto all bytes two stages later, and 25 or more active S-boxes in fourstages (robust against differential/linear cryptanalysis) are achieved.

[0007] However, since bytes in a single column do not mix in the nextstage, dedicated attack called SQUARE attack is present (reference [1],reference [5]). This results from achievement of both high strength andefficiency under the restriction of only one type of diffusion layers.

[0008] The SPN structure allows easy estimation of the lower limit ofthe number of active S-boxes, and can be designed to guarantee highstrength against differential/linear cryptanalysis. However, when theparallelness of S-boxes becomes higher with increasing block size ofplaintext/ciphertext, the calculation cost of a coupling portion ofdiffusion layers becomes high. Also, uniform data diffusion cannot beattained depending on the design of diffusion layers.

BRIEF SUMMARY OF THE INVENTION

[0009] Accordingly, the present invention is directed to method andapparatus that substantially obviates one or more of the problems due tolimitations and disadvantages of the related art.

[0010] In accordance with the purpose of the invention, as embodied andbroadly described, the invention is directed to an apparatus forencrypting block data, comprising a first processing unit configured torandomize the block data in units of first portions obtained by dividingthe block data, and a second processing unit configured to diffuse theblock data output from the first processing unit with respect to asecond portion of the block data which is wider than the first portion.

[0011] Also, in accordance with the present invention, there is providedan method of encrypting block data, comprising randomizing the blockdata in units of first portions obtained by dividing the block data, anddiffusing the randomized block data with respect to a second portion ofthe block data which is wider than the first portion.

[0012] According to the present invention, there is provided anapparatus for decrypting encrypted block data, comprising a firstprocessing unit configured to randomize the encrypted block data inunits of first portions obtained by dividing the encrypted block data,and a second processing unit configured to diffuse the encrypted blockdata output from the first processing unit with respect to a secondportion of the encrypted block data which is wider than the firstportion.

[0013] According to the present invention, there is provided an articleof manufacture comprising a computer usable medium having computerreadable program code means embodied therein, the computer readableprogram code means comprising first computer readable program code meansfor causing a computer to randomize the encrypted block data in units offirst portions obtained by dividing the encrypted block data, and secondcomputer readable program code means for causing a computer to diffusethe encrypted block data output from the first processing unit withrespect to a second portion of the encrypted block data which is widerthan the first portion.

[0014] According to the present invention, there is provided anarithmetic operation device for a block data encryption apparatus whichdevice diffuses block data using a Maximum Distance Separable matrix,the device comprising: a multiplier configured to multiply correspondingbits of first portions obtained by dividing the block data and anelement of the Maximum Distance Separable matrix without feeding back anoverflow; a lookup table configured to store data indicating a relationbetween predetermined upper bits and a return word for adjusting theoverflow; and an EX-OR circuit configured to read out the return wordbased on the predetermined upper bits and EX-OR the read return word andan output of the multiplier.

[0015] According to the present invention, an encryption apparatus andmethod, and a decryption apparatus and method achieves uniform diffusionwhile suppressing calculation cost.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

[0016]FIG. 1 is a view for explaining the basic configuration ofencryption according to the first embodiment of the present invention;

[0017]FIG. 2 is a view for explaining an encryption strength;

[0018]FIG. 3 is a view showing an example of the hierarchical structureof a data randomizing part of nested encryption;

[0019]FIG. 4 is a block diagram showing an example of the arrangement ofan encryption apparatus;

[0020]FIG. 5 shows an example of an S-box;

[0021]FIG. 6 shows an example of the internal arrangement of an extendedS-box;

[0022]FIG. 7 shows an example of a lower-level MDS;

[0023]FIG. 8 shows an example of the structure of one stage of the datarandomizing part;

[0024]FIG. 9 shows an example of a higher-level MDS;

[0025]FIG. 10 shows another example of the higher-level MDS;

[0026]FIG. 11 is a block diagram showing an example of the arrangementof a key scheduling part;

[0027]FIG. 12 is a block diagram showing another example of thearrangement of the key scheduling part;

[0028]FIG. 13 is a block diagram showing an example of the internalarrangement of a nonlinear transformation layer;

[0029]FIG. 14 is a block diagram showing another example of the internalarrangement of the nonlinear transformation layer;

[0030]FIG. 15 shows an example of an additive constant table;

[0031]FIG. 16 is a block diagram showing an example of the arrangementof a Galois field multiplier;

[0032]FIG. 17 is a block diagram showing an example of the arrangementof a linear transformation section;

[0033]FIG. 18 is a block diagram showing another example of thearrangement of the linear transformation section;

[0034]FIG. 19 is a block diagram showing an example of the arrangementof an MDS matrix generation section;

[0035]FIG. 20 is a flow chart showing an example of an MDS matrixgeneration processing sequence;

[0036]FIG. 21 is a block diagram showing another example of thearrangement of the MDS matrix generation section;

[0037]FIG. 22 is a flow chart showing another example of the MDS matrixgeneration processing sequence;

[0038]FIG. 23 is a flow chart showing an example of a processingsequence for selecting a combination of an S-box and lower-level MDS;

[0039]FIG. 24 is a block diagram showing an example of the arrangementof a decryption apparatus;

[0040]FIG. 25 shows an example of the internal arrangement of theinverse transform of an extended S-box;

[0041]FIG. 26 shows an example of the structure of one stage of theinverse transform of a data randomizing part;

[0042]FIG. 27 is a block diagram showing an example of the arrangementof a key scheduling part;

[0043]FIG. 28 is a view for explaining the basic configuration ofencryption according to the second embodiment of the present invention;

[0044]FIG. 29 shows an example of the structure of one stage of theinverse transform of a data randomizing part;

[0045]FIG. 30 shows an example of the higher-level MDS;

[0046]FIG. 31 shows line connection expressions of multiplication overGF(2⁴);

[0047]FIG. 32 shows another example of the higher-level MDS;

[0048]FIG. 33 is a view for explaining renormalization in thehigher-level MDS;

[0049]FIG. 34 shows still another example of the higher-level MDS;

[0050]FIG. 35 is a block diagram showing still another example of thearrangement of the key scheduling part;

[0051]FIG. 36 is a block diagram showing still another example of thearrangement of the key scheduling part;

[0052]FIG. 37 shows another example of the additive constant table;

[0053]FIG. 38 is a block diagram showing another example of thedecryption apparatus;

[0054]FIG. 39 shows another example of the structure of one stage of theinverse transform of the data randomizing part;

[0055]FIG. 40 is a block diagram showing still another example of thearrangement of the key scheduling part at the time of decryption;

[0056]FIG. 41 is a block diagram showing an example of a system usingthe encryption apparatus of the present invention;

[0057]FIG. 42 is a block diagram showing another example of the systemusing the encryption apparatus of the present invention;

[0058]FIG. 43 is a block diagram showing still another example of thesystem using the encryption apparatus of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

[0059] A preferred embodiment of an encryption apparatus and method, anda decryption apparatus and method based on block encryption scheme, andan operating unit used in the encryption and decryption apparatusesaccording to the present invention will now be described with referenceto the accompanying drawings.

[0060] In the embodiment, nested (recursive) SPN encryption as acombination of local randomization (lower-level diffusion) and diffusionover the block width (higher-level diffusion) will be explained. In thefollowing description, encryption will be mainly explained, anddecryption will then be explained. Note that a decryption algorithm isan inverse transform of an encryption algorithm, and a key is a secretkey common to encryption and decryption. The encryption system of thisembodiment can be implemented by either hardware or software, and anarrangement example to be described below can be achieved as afunctional block diagram of an encryption apparatus (decryptionapparatus) or a functional module diagram of an encryption algorithm(decryption algorithm).

[0061]FIG. 1 shows an example of the basic configuration of nested SPNencryption (an encryption (or decryption) apparatus or encryption (ordecryption) algorithm, an encryption processing apparatus).

[0062] As shown in FIG. 1, in the nested SPN structure, each of aplurality of parallel nonlinear transformation modules (extended S-boxesin an example to be described later) 2 in each stage executes local,lower-level diffusion, a diffusion module (a higher-level MDS in anexample to be described later) 3 executes broad, higher-level diffusionover the block width, the nonlinear transformation modules 2 executelocal, lower-level diffusions, . . . , and this process is repeated at apredetermined number of stages. Each nonlinear transformation module 2is constructed by alternately arranging nonlinear transformation modules(S-boxes in an example to be described later) and diffusion modules(lower-level MDS in an example to be described later). That is, in thenested SPN structure of this embodiment, lower-level SPN structures (twostages of SPN structures in an example to be described later) arerecursively embedded in S-box portions of the normal SPN structure.

[0063] According to such nested SPN structure, the branch number can behierarchically guaranteed (hierarchy of the branch number), and thelower limit of the number of active S-boxes can also be easilyguaranteed. In the nested SPN structure, strength evaluation can beeasily made owing to its simple structure.

[0064] In FIG. 1, local, lower-level diffusions are expressed by fourparallel linear transformation modules 2. However, the number ofparallel modules is not limited to four, but other numbers of parallelmodules may be used. Also, the numbers of bits of four parallelnonlinear transformation modules are equal to each other. However, thepresent invention is not limited to such specific number of bits, and aplurality of nonlinear transformation modules 2 having different numbersof bits may be combined. In this case, all nonlinear transformationmodules may have different bit lengths, or some lower-level diffusionsmay have the same bit length. Also, one type of diffusion module 3 isused. Alternatively, two or more different types of diffusion modules 3may be used. For example every other diffusion module 3 over the blockwidth may be replaced by two nonlinear transformation modules.Furthermore, in addition to the method that adopts the repetitivestructure of identical arrangements, only some arrangements may bereplaced.

[0065] Moreover, all the nonlinear transformation modules 2 may have thesame arrangement or may include different arrangements. The same appliesto the diffusion module, nonlinear transformation modules 4, anddiffusion module 5. For example, the first input stage and the lastoutput stage may have internal arrangements different from those ofother intermediate stages. This embodiment adopts the nested structureof two layers, but may use a nested structure of three or more layers(in case of three layers, each nonlinear transformation module 4 furtherhas an SPN structure). For example, nonlinear transformation modules 2may have different hierarchical structures. In addition, othervariations are available.

[0066] This embodiment will be explained below taking 128-bit blockencryption scheme equivalent to AES that uses 8-bit S-boxes as anexample.

[0067] Strength evaluation of block encryption scheme will be explainedbelow.

[0068] As an important measure for estimating the encryption strength ofa given function f, the maximum differential probability/maximum linearprobability is known.

[0069] A maximum differential probability dp^(f) and maximum linearprobability lp^(f) with respect to a function f(x) are respectivelygiven by:${dp}^{f} \equiv {\max\limits_{{{\Delta \quad x} \neq 0},{\Delta \quad y}}{\frac{\# \left\{ {\left. x \middle| {{f(x)} \oplus {f\left( {x \oplus {\Delta \quad x}} \right)}} \right. = {\Delta \quad y}} \right\}}{2^{n}}}}$${lp}^{f} \equiv {\max\limits_{{\Gamma \quad x},{{\Gamma \quad y} \neq 0}}{{{2\frac{\# \left\{ {\left. x \middle| {{x \cdot \Gamma}\quad x} \right. = {{{f(x)} \cdot \Gamma}\quad y}} \right\}}{2^{n}}} - 1}}}$

[0070] where Δx is the difference of input x, Γx is the mask value of x,and Δy is the difference of output y.

[0071] In general, it is hard to accurately obtain the maximumdifferential probability dp^(f) and maximum linear probability lp^(f).Hence, security is evaluated here using a maximum differentialcharacteristic probability DP^(f) and maximum linear characteristicprobability LP^(f) which are approximate values for the maximumdifferential probability dp^(f) and maximum linear probability lp^(f).

[0072] In this embodiment, the nested SPN structure is used as anencryption function. The characteristics of an SPS structure as thebasic structure of the nested SPN structure will be explained below.Note that SPS indicates a three-layered structure of S-box and diffusionlayers S and P like S-P-S. The SPS structure is regarded as thetwo-stage SPN structure.

[0073] In the SPS structure, if θ(x) represents the output from thediffusion layer in response to input x, the branch number B with respectto differential cryptanalysis is defined by (see reference [1],reference [6], Hideo Shimizu & Toshinobu Kaneko, “Diffusion Layer ofCommon Key Cipher,” SCIS 99-72, 1999):$B \equiv {\min\limits_{{\Delta \quad x} \neq 0}\left( {{w\left( {\Delta \quad x} \right)} + {w\left( {\theta \left( {\Delta \quad x} \right)} \right)}} \right)}$

[0074] where w( ) is the Hamming distance using the bit length of anS-box as a code length. S-boxes connected to nonzero input/outputdifferences will be referred to as active S-boxes.

[0075] A structure obtained by connecting S-boxes to the input andoutput of a diffusion layer will be referred to as an SPS structure. IfS-boxes are bijections, and at least one input bit to the SPS structurehas nonzero difference, the number of active S-boxes is equal to orlarger than the branch number (i.e., equal to or larger than B)according to the definition of the branch number. If p_(s) representsthe maximum differential probability of S-boxes, the maximumdifferential characteristic probability of the SPS structure does notexceed an upper limit value ps^(B).

[0076] When M parallel S-boxes are used as S layers of the SPSstructure, the branch number of diffusion layers that couple them isequal to or smaller than (M+1), and a linear transform in which thebranch number satisfies (M+1) is called an MDS (Maximum DistanceSeparable) matrix.

[0077] If the diffusion layers form an MDS matrix, the maximumdifferential characteristic probability of the SPS structure does notexceed an upper limit value p_(s) ^(M+1) [reference 1]. Likewise, if qsrepresents the maximum linear probability of S-boxes, the maximum linearcharacteristic probability of the SPS structure does not exceed q_(s)^(M+1).

[0078] If a two-stage SPN structure is used as an S-box of ahigher-level SPN structure, it is called an extended S-box (lower-levelstructure). Assume that M₁ parallel S-boxes are used, and B₁ representsthe branch number of diffusion layers in the extended S-box. Given M₂parallel two-stage SPN structures (higher-level structure) for extendedS-boxes in which B₂ represents the branch number of the diffusionlayers, the number of active S-boxes in the higher-level structure doesnot become smaller than a lower limit value B₁×B₂. This nature is calledhierarchy of the branch number.

[0079] If both two types of higher-level and lower-level diffusionlayers form MDS matrices, the number of active S-boxes does not becomesmaller than (M₁+1)×(M₂+1). In this way, the upper limits of DP^(f) andLP^(f) of the nested SPN structure can be suppressed.

[0080]FIG. 2 shows an example of the two-stage SPN structure whenM₁=M₂=4. Reference numeral 15 denotes a diffusion part using ahigher-level MDS matrix (to be described later); 11 to 14, extendedS-boxes at the input side of the diffusion part; and 16 to 19, extendedS-boxes at the output side of the diffusion part. In each extendedS-box, reference numeral 20 denotes a diffusion part using a lower-levelMDS (to be described later). Smallest rectangles 21 and 22 in FIG. 2respectively indicate input- and output-side S-boxes.

[0081] In FIG. 2, active S-boxes are indicated by hatching (see 21 inFIG. 2), and blank S-boxes indicate zero difference (see 22 in FIG. 22).The extended S-boxes 11, 13, 16, 17, and 19 indicated by bold lines areactive extended S-boxes, and other extended S-boxes 12, 14, and 18indicate zero difference. As can be seen from FIG. 2, the number ofactive S-boxes in four stage is 25 or more.

[0082] As described above, in encryption scheme of this embodiment, 25(=5×5) or more active S-boxes can be guaranteed by two stages. Themaximum differential probability of each S-box is given by:

P_(S)=6/256

[0083] The differential characteristic probability in two stages isgiven by:

P_(S) ²⁵=2^(−135.4)<<2⁻¹²⁸

[0084] Hence, differential cryptanalysis is not effective.

[0085] Likewise, the linear characteristic probability is given by:

q _(s)=22/256

q _(s) ²⁵=2^(−88.5)<<2⁻⁶⁴

[0086] Hence, linear cryptanalysis is not effective.

[0087] Note that the SQUARE attack applied to conventionalSQUARE/Rijndael encryption scheme exploits the characteristics in whichwhen all 2⁸ different patterns are input to one byte in a stage whilefixing other inputs, all 2⁸ different patterns appear in respectiveoutput bytes after two stages. However, the encryption scheme of thisexample makes simple application of that attack difficult by improvingextendibility among S-boxes by the way the higher-level MDS (to bedescribed later) is taken.

[0088] This embodiment will be described in detail below using anexample of nested encryption scheme.

[0089] An example of the arrangement of this embodiment will bedescribed.

[0090]FIG. 3 shows an example of the hierarchical structure of the datarandomizing part of nested encryption scheme of this embodiment.

[0091] The block length takes 128 bits as an example (of course, thepresent invention can be practiced for other block lengths). The keylength takes 256 bits as an example (of course, the present inventioncan be practiced for other block lengths). A case wherein the keylength=128 bits or 192 bits when the block length=128 bits will bedescribed later.

[0092] When a pair of a plurality of parallel extended S-boxes and ahigher-level MDS (the final stage does not include any higher-level MDS,as will be described later) is counted as one stage, R represents thenumber of stages, and R=8 is used in an example. Note that the number ofstages is basically not particularly limited. However, the actual numberof stages can be appropriately set in consideration of security,computer resources, and the like, and it is more effective to set six ormore stages, and more preferably, eight or more stages.

[0093] In encryption of this embodiment, since a stage function includestwo S-box layers, one stage corresponds to two stages in a normalstructure. As for a higher-level MDS in the stage structure, someimplementations based on different Galois fields will be explained(strength priority and speed priority examples will be described).

[0094]FIG. 4 shows an example of the arrangement of an encryptionapparatus according to this embodiment.

[0095] Reference numeral 101 denotes a processing unit (stage function)of each stage; 104, a higher-level MDS diffusion layer; 102, an extendedS-box layer; and 103, individual extended S-boxes. Reference numeral 105denotes an EX-OR unit. Reference numeral 121 denotes one stage of a keyscheduling part (details will be described later). Reference symbol Pdenotes 128-bit plaintext as an input; and C, 128-bit ciphertext as anoutput.

[0096] The stage function 101 has a structure in which four parallel32-bit processing subblocks (extended S-boxes) 103 each consisting of atwo-stage SPN structure are juxtaposed, and their outputs are coupled bythe MDS diffusion layer 104. The overall basic structure is defined byrepetitions of this stage function 101.

[0097] In the example of FIG. 4, to attain symmetric encryption anddecryption processes, the final stage is constructed by only an extendedS-box layer 102 and a key adder 105.

[0098] Since two stages of SPN structures are embedded in one stage ofthe stage function 101, and key addition is made at the end of theprocess, the bit length of an extended key is 2×128×R+128=128 (2R+1).When R=8, the bit length is 128×17 bits.

[0099] An S-box will be explained below.

[0100] Encryption of this example uses an 8-bit S-box defined by aninput/output table.

[0101]FIG. 5 shows an example of the input/output table of the 8-bitS-box. In FIG. 5, sequence elements are expressed by hexadecimalnotation.

[0102] In the table of FIG. 5, the uppermost left value “72”correspondsto s[0]; its right neighboring value “AA” to s[1]; the right end value“9F” of that line to s[15]; the left end value “69” of the next line tos[16]; its right neighboring value “6A” to s[17]; and so forth. Thelowermost right value “57” corresponds to s[255].

[0103] The characteristics of the S-box exemplified in FIG. 5 are asfollows.

[0104] maximum differential probability: 6/256 (theoretical minimumvalue=4/256)

[0105] maximum linear probability: 22/256 (theoretical minimumvalue=16/256)

[0106] algebraic order: 7-th order (maximum value of bijection function)

[0107] Note that the S-box may use an arithmetic process in place of theinput/output table.

[0108] Each extended S-box (also called a lower-level structure) will beexplained below.

[0109]FIG. 6 shows an example of the internal arrangement of theextended S-box 103. In this example, two sets of four parallel 8-bitS-boxes 112 (see FIG. 5) form a two-stage SPN structure to sandwich adiffusion layer 113 therebetween. This structure should be called an SPSstructure, but is regarded as a special two-stage SPN structure fromwhich the diffusion layer of the second stage is omitted. A key adder111 is provided immediately preceding to each S-box 112. The diffusionlayer 113 in the extended S-box uses an MDS matrix, which is called alower-level MDS, and is expressed by MDS_(L).

[0110]FIG. 7 shows an example of the MDS_(L) matrix used in encryptionof this embodiment. In FIG. 7, matrix elements are expressed inhexadecimal notation. Note that S-box inputs and outputs, and matrixelements are considered as elements of Galois field GF(2⁸) uponmultiplication. A primitive polynomial in case of this example isx⁸+x⁶+x⁵+x+1.

[0111] A higher-level structure as a stage function of encryption ofthis example will be described below.

[0112]FIG. 8 shows an example of the arrangement of one-stage portion101 of the randomizing part. The higher-level structure 101 as a stagefunction of encryption of this example is constructed by coupling fourparallel 32-bit extended S-boxes 103 (see FIG. 6) by a diffusion layer104 of an MDS matrix. The diffusion layer 104 in the higher-levelstructure 101 as a stage function uses an MDS matrix, which is called ahigher-level MDS and is expressed by MDSH. Note that the MDS matrix inthis case means that the branch number in consideration of the extendedS-box is 5.

[0113] The simplest implementation of a higher-level MDS is to use the32-bit wide output of an extended S-box as elements of GF(2³²). Althoughthis technique readily warrants high strength, it is generally difficultto implement or to attain high-speed processing. In this case,preferably some constraints are applied to the higher-level MDS matrix.

[0114] The four parallel MDS matrices can be sufficiently configured bythe 4-bit width, and can be implemented using arithmetic operations overGF(2⁴). A cyclic MDS allows efficient calculations.

[0115] In practice, intermediate configurations using GF(2⁸) and GF(2¹⁶)are available.

[0116] A higher-level MDS using GF(2³²) will be described below.

[0117] In this case, the inputs and outputs of an extended S-box areconsidered as elements of GF(2³²) to design a higher-level MDS. This isa natural design method in the SPN structure. However, it is notpractical with the 32-bit width to implement using a multiplicationtable. Also, implementation by means of calculations cannot achievehigh-speed processing since a normal MDS matrix requires a largecalculation volume. The calculation volume increases since the processupon carry-up in multiplication over the Galois field is heavy. Tosuppress the calculation volume, a method of configuring a higher-levelMDS matrix using elements in which “1”s appear in only lower 5 bits of32 bits (bits other than the lower 5 bits are fixed to zero) in bitexpression is available. Using a matrix that satisfies such condition,the shift-up process can be processed by table lookup using upper 4 bitsas an input.

[0118]FIG. 9 shows an example of the higher-level MDS matrix. Aprimitive polynomial in case of this example is x³²+x²⁸+x²⁷+x+1.

[0119] A higher-level MDS using GF(2⁴) will be explained.

[0120]FIG. 10 shows an example of the MDS matrix in this case. Aprimitive polynomial in case of this example is x⁴+x+1.

[0121] In this case, 1-bit data at corresponding positions (the mostsignificant bits are exemplified in FIG. 10) of the outputs, i.e., 8-bitdata of four S-boxes in one extended S-box 103 form 4-bit data per set,and four sets of 4-bit data from one extended S-box 103 are consideredas elements of GF(2⁴).

[0122] A diffusion layer 104 between two stages of four parallelextended S-box layers 103 uses 4 (rows)×4 (columns) MDS matrices (e.g.,104-1 in case of the most significant bits in FIG. 10) at correspondingpositions of 8-bit data.

[0123] The four sets of 4-bit data as outputs are connected tocorresponding positions of corresponding source 8-bit data.

[0124] Eight MDS matrices (104-1 to 104-8) are prepared as higher-levelMDS matrices in correspondence with the bit width of S-boxes.

[0125] These 4 (rows)×4 (columns) MDS matrices guarantee the branchnumber=5. Since the individual MDS matrices are connected to differentbit positions in S-boxes, the branch number=5 is guaranteed as a whole.

[0126] By table lookup in units of S-box outputs at correspondingpositions of extended S-boxes (also by arithmetic operations), efficientimplementation that simultaneously processes eight MDS matrices can bemade.

[0127] If cyclic MDS matrices are used, an efficient process thatcombines EX-ORing in units of 32 bits and bit rotations in units of 8bits can be performed.

[0128] Based on the same idea as described above, processing may beperformed in units of 2 bits at corresponding positions of 8-bit data,and four 4 (rows)×4 (columns) MDS matrices (GF(2⁸)) having 8-bitelements may be prepared as higher-level MDS matrices. On the otherhand, processing may be performed in units of 4 bits at correspondingpositions of 8-bit data, and two 4 (rows)×4 (columns) MDS matrices(GF(2¹⁶)) having 16-bit elements may be prepared as higher-level MDSmatrices.

[0129] In the above description, bits at corresponding positions areextracted and processed. Alternatively, bits at different positions maybe (exclusively) extracted and processed. In FIG. 10, four parallelextended S-boxes 103 are used, but the number of parallel extendedS-boxes is not limited to such specific value. Also, all the extendedS-boxes need not have the same internal arrangement, and some of themmay have different arrangements. All the higher-level MDS matrices neednot have the same internal arrangement, and some of them may havedifferent arrangements. The same applies to lower-level MDS matrices andthe input/output tables of S-boxes. For example, the first input stageand last output stage may have internal arrangements different fromthose of the intermediate stages. In addition, various other variationsare available.

[0130] The key scheduling part (key generator) will be explained below.

[0131]FIG. 11 shows an example of the arrangement of the key schedulingpart. Reference numeral 121 denotes a portion corresponding to one stageof the stage function of the data diffusion part; 131, a lineardiffusion layer (in this example, a diffusion layer using a higher-levelMDS matrix); 132, a nonlinear transformation layer (in this example,four parallel SP layers (S-box layers/diffusion layers) 133); 134, anEX-OR unit; and 135, a remainder adder. Although not shown in FIG. 11,the arrangement of the portion 121 is repeated in correspondence withthe number of stages. When the arrangement unit that outputs a 128-bitkey is defined as one stage of the key scheduling part, the number ofkey scheduling part is (2R+1) (=17 when R=8).

[0132] In the example shown in FIG. 11, 128 bits as the left half of theoutput of each stage of a 256-bit modified Feistel repetitive processare extracted, and a stage number dependent constant C_(i) is addedthereto as a remainder to obtain an extended key.

[0133] When the key length is 256 bits, for example, the upper 128 bitsare input to the linear diffusion layer 131 of the first stage, and thelower 128 bits are input to the nonlinear transformation layer 132. Whenthe key length is 128 bits, for example, the 128 bits are input to thelinear diffusion layer 131 of the first stage, and also to the nonlineartransformation layer 132. When the key length is 192 bits (=64 bits×3),for example, 128 bits obtained by coupling the upper 64 bits and theintermediate 64 bits are input to the linear diffusion layer 131 of thefirst stage, and 128 bits obtained by coupling the upper 64 bits and thelower 64 bits are input to the nonlinear transformation layer 132.

[0134] Note that the location of the remainder adder 136 that adds thestage number dependent constant C_(i) as a remainder may have variousvariations, as shown in FIG. 12.

[0135]FIG. 13 shows an example of the arrangement of each SP layer 133of the nonlinear transformation layer 132 in FIGS. 11 and 12. Referencenumeral 141 denotes S-boxes; and 142, a lower-level MDS for receivingthe outputs from the four parallel S-boxes.

[0136] Note that this S-box may be either the same as or different fromthat (FIG. 5) for the encryption processing shown in FIG. 4. The sameapplies to the lower-level MDS. The S-boxes and lower-level MDS may havedifferent arrangements in units of stages of the key scheduling part.

[0137]FIG. 14 shows another example of the arrangement of each SP layer133 of the nonlinear transformation layer 132 in FIGS. 11 and 12. Inthis example, EX-OR units 143 are added to the arrangement shown in FIG.13.

[0138] Furthermore, a constant to be EX-ORed with the input to eachS-box may be a stage number dependent constant in FIG. 14.

[0139] An example of a method of generating different constants C_(i) inindividual stages will be explained below.

[0140] The 128-bit additive constant C_(i) of the key scheduling part inFIGS. 11 and 12 are described by a combination of four bit constants(H₀, H₁, H₂, H₃). Examples of 32-bit constants H_(i) are:

H ₀=(5A827999)_(H)=└({square root}{square root over ( )}2/4×2³²)┘

H ₁=(6ED9EBA1)_(H)=└({square root}{square root over ( )}3/4×2³²)┘

H ₂=(8F1BBCDC)_(H)=└({square root}{square root over ( )}5/4×2³²)┘

H ₃=(CA62C1D6)_(H)=└({square root}{square root over ( )}10/4×2³²)┘

[0141] where └x┘ is a floor function and indicates an largest integerwhich is not larger than x.

[0142] A combination of additive constants C_(i) is described byC_(i)=(C_(i0), C_(i1), C_(i2), C_(i3)). In order to allow easygeneration of different 128-bit constants C_(i) in individual stages,8-bit LFSRs are used to determine a combination of H_(i) which formC_(i). For example, (1D)_(H) is used in the primitive polynomial of eachLFSR, and (⁸B)H is used in the initial state of each LFSR. A bitsequence generated using the LFSRs is read out in units of 2 bits todetermine a 32-bit constant H_(i) used as the constant.

[0143]FIG. 15 shows an example of an additive constant table determinedusing the LFSRs by the aforementioned method.

[0144] Note that the initial state of each LFSR may be variable orfixed. In the former case, the initial state of each LFSR partiallydefines the key. In the latter case, only a decryption apparatus havingthe same initial state of each LFSR as that in the encryption apparatuscan decrypt the ciphertext.

[0145] According to the aforementioned key scheduling part, in each SPlayer 133, when 1 bit of the input has changed, the S-boxes 141 canspread that change to 8 bits, and the lower-level MDS 142 can spread thechange to 32 bits. Furthermore, in the linear diffusion layer, since thehigher-level MDS 131 largely diffuses the output from the nonlineartransformation layer of the previous state, a 1-bit difference arepropagated to the 128-bit width.

[0146] Therefore, according to the key scheduling part, the respectivestages easily generates, i.e., diffuse random keys. Since differentconstants are used in units of stages, keys rarely match among stages(keys hardly match).

[0147] Note that the key scheduling part may have another arrangement.

[0148] An efficient linear diffusion device used in the diffusion partof block encryption scheme data having a large block length will beexplained below.

[0149]FIG. 16 shows an example of the arrangement of a Galois fieldmultiplier as a basic component of the linear diffusion device of thisembodiment. This linear diffusion device are used to calculate theproduct of one input and one element of the higher-level MDS matrix inthe aforementioned higher-level MDS (see 104 in FIGS. 9 and 4, 131 inFIGS. 11 and 12) using GF(2³²) or GF(2¹⁶).

[0150] As shown in FIG. 16, the Galois field multiplier comprises acoefficient storage unit 202, multiplier 203, carry return unit 201, andEX-OR unit 204.

[0151] The coefficient storage unit 202 stores a coefficient, i.e., amultiplier of multiplication (for example, one element of thehigher-level MDS matrix in FIG. 9).

[0152] The multiplier 203 multiplies the input word and coefficient whenthey are binary values.

[0153] When the coefficient of the coefficient storage unit 202 is apower of 2 like 1, 2, 4, . . . , a calculation using a normal multiplierare made. On the other hand, if the multiplier is a specific one thatdoes not propagate any carry, a calculation are made when thecoefficient of the coefficient storage unit 202 is an arbitrary value.

[0154] The carry return unit 201 searches for a value (return word) tobe added by the EX-OR unit 204 to feed back a carry as a result ofmultiplication to multiplication over the Galois field.

[0155] The EX-OR unit 204 exclusively ORs the output from the multiplier203 and the output bits of the carry return unit 201.

[0156] The function of the Galois field multiplier 200 is to calculate aproduct a×b of input word “a” as an element of an extension fieldGF(2^(k)) of a Galois field GF(2), and a coefficient “b” as anotherelement of that Galois field as an output word.

[0157] The product in the Galois field will be described below.

[0158] In the following description, i and j upon calculating sum totalsin Σa_(i)x^(i) and Σb_(j)x^(j) range from 0 to k−1, and a description ofthese ranges will be omitted.

[0159] Elements of GF(2^(k)) are expressed as a (k−1)-th orderpolynomial Σa_(i)x^(i) in a given variable x by polynomial expression.Element “a” is often expressed by arranging its coefficients likec_(k−)1, c_(k−)2, . . . , C₀.

[0160] The product of two elements “a”=Σa_(i)x^(i) and b=Σb_(i)x^(i) isdefined by:

a×b=(Σa _(i) x ^(i) a)×(Σb _(i) x ^(i))mod p(x)

[0161] where p(x) is called a primitive polynomial of GF(2^(k)), and isa k−1th order irreducible monic polynomial. Also, “mod” means that, forexample, when k=32 and p(x)=x³²+x²⁸+x²⁷+x+1 is selected as a primitivepolynomial, if the term of x³² or factor appears as a product of thepolynomial, it is considered as (x²⁸+x²⁷+x+1). Therefore, the product isalso a polynomial of order k or less.

[0162] In general, upon executing such operation, a multiplier using amultiplication table that searches for a product using a multiplier andmultiplicand as tags is often used so as to attain high-speedprocessing. However, since both the multiplier and multiplicand canassume 2^(k) values, the multiplication table has 2^(2k) entries, eachhaving a k−1 bit size. For this reason, when k becomes large to someextent, the multiplication table has a very large size.

[0163] This embodiment is basically similar to that method using themultiplication table, but when coefficients satisfy a given constraintcondition, such table are implemented by much smaller storage size.

[0164] In this constraint condition, coefficient b is a constant, andonly lower order coefficients of given order t or less have nonzerocoefficients (coefficients exceeding the t-th order are 0, andcoefficients of the t-th order or less are 0 or 1). When given element“a” assumes an arbitrary element, a maximum of a 32-bit carry isgenerated, but when this constraint condition is satisfied, a t-bitcarry at most is generated. The t-bit carry value is determined by theMSB (Most Significant Bits) within the upper t-bit range of multiplier“a”.

[0165] The difference between multiplication over the Galois field andthat considered as a normal polynomial is that when a carry to acoefficient of the 32nd-order or higher is generated as a product ofbinary values, contribution of that carry must be returned tocoefficients of less than the 32nd-order by the primitive polynomial,but the carry return unit 201 has words to be returned in the form of atable in this embodiment.

[0166] This return word are determined by coefficient b of (t+1) bits atmost, upper t bits of multiplicand “a”, and a primitive polynomial. Thatis, the return word is given by (a[(k−t) . . . (k−1)]×b)[(t+1) . . . 2t]mod p(x) where a[(k−t) . . . (k−1)] extracts terms from the (k−1)-thorder to the (k−t)-th order from “a”.

[0167] That is, the contents of the return word table of the carryreturn unit 201 are determined in correspondence with elements of thecorresponding MDS matrix (see FIG. 9).

[0168] The return word table of the carry return unit 201 has 2^(t)entries, each having a k−1 bit size.

[0169] The linear transformation section which is implemented using theaforementioned Galois field multiplier and calculates the lineartransforms of data blocks of block encryption scheme will be describedbelow.

[0170] Linear transformation using an MDS matrix is known as a kind oflinear transformation. The MDS matrix is an n (rows)×n (columns) matrixin which a data block consists of a plurality of (n) words, and wheneach word has a k−1 bit length, it is considered as an element of aGalois field GF(2^(k)), and which linearly maps a set of n elements to aset of n elements, and has all nonzero small matrices. Lineartransformation based on the MDS matrix can guarantee the lower limit ofthe number of nonzero input/output words.

[0171] However, in general, a matrix operation over the Galois fieldGF(2^(k)) includes several times of multiplication and addition over theGF(2^(k)), resulting in high calculation cost.

[0172]FIG. 17 shows an example of the arrangement of the lineartransformation section of this embodiment. This linear transformationsection are used in the aforementioned higher-level MDS (104 in FIGS. 9and 4, 131 in FIGS. 11 and 12) using GF(2³²) or GF(2¹⁶).

[0173] In the arrangement shown in FIG. 17, the Galois field multipliersshown in FIG. 16 are prepared in a matrix pattern in correspondence withthe MDS matrix.

[0174] If m=n in FIG. 17, a coefficient of each of n² Galois fieldmultipliers 200 assumes the same value as the corresponding element ofan n (rows)×n (columns) MDS matrix. A device having a coefficient a_(ij)receives the i-th input word.

[0175] EX-OR units 205 corresponding to respective output wordscalculate EX-ORs of output bits of all the Galois field multipliers 200having coefficients a_(ij) corresponding to given j, and output them asthe j-th output words.

[0176]FIG. 18 shows another example of the arrangement of the lineartransformation section of this embodiment. According to the lineartransformation section of this example, when an MDS matrix thatexpresses linear transformation is expressed by (a_(ij)), only terms ofthe t-th order or less of each element a_(ij) have nonzero coefficients.Assume that i and j can assume an integer ranging from 0 to n−1. Also, tis a positive value smaller than the extension order k of the Galoisfield GF(2^(k)).

[0177] In this way, multiplication shown in FIG. 18 are implemented.

[0178] Note that the contents of the return word table of the carryreturn unit 201 are determined in accordance with the correspondingelements of the MDS matrix. Therefore, in the example of thehigher-level MDS matrix shown in FIG. 9, only four different return wordtables are prepared.

[0179] An MDS matrix generation section (or random generation algorithm)for generating an MDS matrix (especially, higher-level MDS) used in theencryption system of the present invention will be explained below.

[0180]FIG. 19 shows an example of the arrangement of the MDS matrixgeneration section. As shown in FIG. 19, the MDS matrix generationsection comprises an element generator 231, small determinantcalculation unit 232, and discrimination unit 233.

[0181]FIG. 20 shows an example of the sequence in this case.

[0182] The element generator 231 randomly generates matrix elements ofan n (rows)×n (columns) MDS matrix (step S1). When the aforementionedGalois field multiplier is allowed to be applied, an MDS matrix in whichonly lower t bits consist of nonzero elements (elements of the t-thorder or less) (that is, in this case, the element generator 231 checksif only lower t bits are nonzero) is generated.

[0183] In order to generate matrix elements, various methods such as amethod of generating and using random numbers, a method of using controlvariable values of multiple loops, and the like are available.

[0184] The small determinant calculation unit 232 calculates 1st-ordersmall determinants of the matrix generated by the element generator 231(step S2), and the discrimination unit 233 checks if the smalldeterminant calculated by the small determinant calculation unit 232 isnonzero (step S3). If at least one zero 1st-order small determinant isfound, the processing is performed again from step S1.

[0185] If all 1st-order small determinants are nonzero, 2nd-order smalldeterminants are similarly checked (steps S4 and S5).

[0186] The aforementioned process is repeated up to nth-order smalldeterminants (steps S6 and S7), and if it is confirmed that all smalldeterminants from the 1st order to the nth-order are nonzero, that MDSmatrix is output (step S8).

[0187] When the MDS matrix obtained in step S8 is used in encryption, anMDS matrix used in decryption is given by an inverse matrix of the MDSmatrix obtained in step S8 (conversely, when the MDS matrix obtained instep S8 is used in decryption, its inverse matrix is used as an MDSmatrix used in encryption).

[0188] Note that even if all elements of the MDS matrix obtained in stepS8 have only nonzero lower t bits, all elements of its inverse matrix donot always have only nonzero lower t bits.

[0189] In the sequence shown in FIG. 20, small determinants are checkedin turn from the 1st order to the nth order, but may be checked in otherorders, or all or some of these determinants may be parallelly checked.

[0190] A method of obtaining MDS matrices so that both the MDS matrixused in encryption and that used in decryption as the inverse matrix ofthe former matrix satisfy a condition that only lower t bits are nonzerowill be explained below.

[0191]FIG. 21 shows an example of the arrangement of the MDS matrixgeneration section in this case. As shown in FIG. 21, the MDS matrixgeneration section comprises the element generator 231, the smalldeterminant calculation unit 232, the discrimination unit 233, aninverse matrix generator 234, and an inverse matrix discrimination unit235. The element generator 231, small determinant calculation unit 232,and discrimination unit 233 are the same as those in FIG. 19.

[0192]FIG. 22 shows an example of the sequence in this case.

[0193] As in the above example, the element generator 231, smalldeterminant calculation unit 232, and discrimination unit 233 generatean MDS matrix consisting of elements only lower t bits of which arenonzero (step S11).

[0194] The inverse matrix generator 234 generates an inverse matrix ofthe generated MDS matrix (step S12).

[0195] The inverse matrix discrimination unit 235 checks if only lower tbits of each element of the obtained inverse matrix are nonzero.

[0196] If only lower t bits of all elements are nonzero (step S13),these MDS matrix and inverse matrix are output (step S14).

[0197] If at least one element is found to have nonzero lower t bits(step S13), the processing is performed again from step S11.

[0198] When the MDS matrix generated in step S11 is used in encryption,the inverse matrix generated in step S12 is used in decryption(conversely, when the MDS matrix generated in step S11 is used indecryption, the inverse matrix generated in step S12 is used inencryption).

[0199] Upon generating an MDS matrix, an MDS matrix in which elementshaving identical values are not present in identical rows (in an n(rows)×n (columns) MDS matrix, the (i1)-th to (in)-th elements do notinclude two or more elements having identical values) may be generated.For example, in the examples of the sequences shown in FIGS. 20 and 22,it is determined upon generating an MDS matrix if elements havingidentical values are present in a single row, and if elements havingidentical values are found in a single row, the MDS matrix may begenerated. Note that elements having identical values may be present ina single row.

[0200] Using a linear transformation section that selects an MDS matrixin which elements having identical values are not present in a singlerow as a linear transformation section of block encryption scheme data,the probability that differential values of input words cancel eachother are reduced.

[0201] On the other hand, an MDS matrix in which the sum of elements ina single row is not 1 or 0 may be generated. In this case, the sameeffect are obtained.

[0202] A method of improving security by selecting (or optimizing) thecombination of S-box and lower-level MDS and, more particularly, adesign method of a combination of S-box and lower-level MDS which canguarantee that the maximum differential characteristic probabilitybecomes better than the theoretical worst example, will be describedbelow.

[0203] Since MDS guarantees only the branch number B, if p representsthe maximum differential probability of S-boxes, the maximumdifferential characteristic probability is p^(B). For example, an m(rows)×m (columns) MDS has B=m+1. However, by selecting (optimizing) thecombination of S-box and lower-level MDS, a maximum differentialcharacteristic probability of less than p^(B) are guaranteed by thebranch number B. As a result, by combining an MDS with a smaller maximumdifferential probability than a normal MDS with S-boxes, a synergeticeffect are expected, and security are further improved.

[0204] As security evaluation schemes of an encryption algorithm,differential cryptanalysis and linear cryptanalysis are known, and theyhave duality. Paying attention to differential cryptanalysis, thesecurity of S-boxes is specified by the probability that the input andoutput have differential correlation, and is higher with decreasingprobability. In the encryption algorithm, the security are improved as alarger number of S-boxes with a smaller differential probability arecombined. As an efficient coupling method of S-boxes, a lineartransformation section has been conventionally proposed. The lineartransformation section calculates the linear transform of data having agiven block length, and is used as a component of an encryptionapparatus (and a decryption apparatus). Linear transformation using anMDS matrix is known as a kind of linear transformation.

[0205] An MDS matrix defines linear transformation to n words when adata block is made up of a plurality of (n) words, and guarantees (n+1)or more nonzero input/output words. However, since an S-box has aplurality of candidate values such as 6/256, 4/256, 2/256, and the likeas a differential probability, an MDS in which each of (n+1)probabilities is 4/256 can assure higher security than an MDS in whicheach of (n+1) probabilities is 6/256.

[0206] Conventionally, the securities of the S-box and MDS areindividually evaluated as sole building elements. In this embodiment, anexample of a device for verifying the synergism of the S-box and MDSwill be described.

[0207]FIG. 23 shows an example of the processing sequence in this case.This example pays attention to differential cryptanalysis, and shows aprocess for determining an MDS that can expect synergism with the S-box.Since differential cryptanalysis and linear cryptanalysis have duality,the same effect are obtained for linear cryptanalysis when this processis performed in consideration of the linear probability.

[0208] A plurality of S-box candidates and a plurality of lower-levelMDS candidates are generated (steps S21 and S22). Note that steps S21and S22 may be executed in the reverse order, or may be executedparallelly.

[0209] One of the S-box candidates is selected (step S23), and one ofthe lower-level MDS candidates is selected (step S24). Note that stepsS23 and S24 may be executed in the reverse order, or may be executedparallelly.

[0210] As will be described later, a maximum difference of effective(active) S-boxes is calculated (step S25), and it is determined if adifference (e.g., 4/256) smaller than an upper limit (e.g., 6/256) isincluded.

[0211] If such difference is included (step S26), a combination of theS-box and lower-level MDS at that time is output (step S27).

[0212] On the other hand, if no such difference is included (step S26),one or both of the S-box and lower-level MDS is or are reselected torepeat the aforementioned process.

[0213] In FIG. 23, a plurality of S-box candidates and a plurality oflower-level MDS candidates are generated initially. Alternatively,candidates other than the first set may be generated when the conditionin step S26 is not satisfied and another S-box or MDS must be selected.

[0214] The actual processes in steps S25 and S26 are executed asfollows.

[0215] In the example of the extended S-box 103 in FIG. 6, the followingfour different types of verifications (a total of 20 differentverifications) are made for a combination of S-box and lower-level MDS,and when all conditions are satisfied, the set of S-boxes andlower-level MDS at that time are output in step S27.

[0216] (1) When one S-box 112 alone is activated on the input side ofthe lower-level MDS 113, if all four S-boxes 112 are activated on theoutput side of the lower-level MDS 113 and at least one of them has adifference smaller than the upper limit, it is determined that thisverification is successful. This verification is made for each of thefour S-boxes 112 on the input side (there are four different patterns).

[0217] (2) When only two S-boxes 112 are activated on the input side ofthe lower-level MDS 113, if all four S-boxes 112 are activated on theoutput side of the lower-level MDS 113, it is determined that thisverification is successful, and if three S-boxes 112 are activated onthe output side of the lower-level MDS 113, and at least one of them hasa difference smaller than the upper limit, it is determined that thisverification is successful. This verification is made for each ofcombinations of two S-boxes on the input side (there are six differentpatterns).

[0218] (3) When only two S-boxes 112 are activated on the output side ofthe lower-level MDS 113, if all four S-boxes 112 are activated on theinput side of the lower-level MDS 113, it is determined that thisverification is successful, and if three S-boxes 112 are activated onthe input side of the lower-level MDS 113, and at least one of them hasa difference smaller than the upper limit, it is determined that thisverification is successful. This verification is made for each ofcombinations of two S-boxes on the output side (there are six differentpatterns).

[0219] (4) When one S-box 112 alone is activated on the output side ofthe lower-level MDS 113, if all four S-boxes 112 are activated on theinput side of the lower-level MDS 113 and at least one of them has adifference smaller than the upper limit, it is determined that thisverification is successful. This verification is made for each of thefour S-boxes 112 on the output side (there are four different patterns).

[0220] The plurality of verification processes may be sequentiallyperformed, or all or some of them may be parallelly performed. If one ofthe plurality of verification processes is not successful, all thesubsequent verification processes may be canceled for that combinationof S-box and lower-level MDS, and it may be determined that verificationis not successful.

[0221] In the example of the sequence shown in FIG. 23, when the firstcombination of S-box and lower-level MDS which satisfies the conditionsis obtained, the process is aborted. Alternatively, a plurality ofcombinations of S-boxes and lower-level MDS which satisfy the conditionsmay be obtained, and the best evaluated one of these combinations may beselected.

[0222] The encryption apparatus has been explained. An decryptionapparatus will be explained below.

[0223] The decryption apparatus has a structure obtained by reversingthat of the encryption apparatus (the same key is used).

[0224]FIG. 24 shows an example of the arrangement of a decryptionapparatus corresponding to the encryption apparatus shown in FIG. 4.

[0225]FIG. 25 shows an example of the internal arrangement of theinverse transform of an extended S-box corresponding to FIG. 6.

[0226]FIG. 26 shows an example of the structure of one stage of theinverse transform of a data randomizing part corresponding to FIG. 8.

[0227] In FIG. 24, a key scheduling part of the decryption apparatus hasthe same arrangement as that of the encryption apparatus shown in FIG.4.

[0228] The input/output table of each S-box 1112, a lower-level MDSmatrix of each lower-level MDS 1113, and a higher-level MDS matrix of ahigher-level MDS 1104 have inverse functions (inverse matrices) of theinput/output table of each S-box 112 (e.g., FIG. 5), the lower-level MDSmatrix of each lower-level MDS 113 (e.g., FIG. 7), and the higher-levelMDS matrix of the higher-level MDS 104 (e.g., FIGS. 9 and 10) in theencryption apparatus.

[0229] In FIG. 24, the key is generated in the same order as in FIG. 4,but may be generated in an order opposite to FIG. 4.

[0230]FIG. 27 shows an example of the arrangement of the key schedulingpart in such case.

[0231] Reference numeral 1132 denotes inverse transform of the nonlineartransformation layer 132 of FIG. 11 (including four parallel inversetransforms of the SP layers 133 (e.g., the inputs and outputs in FIG. 13or 14 are reversed)).

[0232] The input/output table of each S-box, lower-level MDS matrix,higher-level MDS matrix used in the key scheduling part shown in FIG. 27have inverse functions (inverse matrices) of those used in the keyscheduling part in FIG. 11.

[0233] Assume that a decryption key input K′ in FIG. 27 is the key usedin the last key addition in FIG. 4 (for the encryption apparatus).

[0234] In this case as well, various variations of the locations wherethe stage number dependent constants C_(i) are added as remainders areavailable in addition to the same method as in FIG. 12.

[0235] The example of 128-bit block encryption scheme equivalent to AES,which uses 8-bit S-boxes has been described as an application example ofnested (recursive) SPN encryption as a combination of local diffusion(lower-level diffusion) and diffusion over the block width (higher-leveldiffusion). Another embodiment will be described using an example of64-bit block encryption scheme equivalent to AES, which uses 8-bitS-boxes (portions which differ since 64 bits are used in place of 128bits will be mainly explained).

[0236] An example of the arrangement of the second embodiment of a64-bit block encryption scheme encryption apparatus/decryption apparatusor encryption algorithm/decryption algorithm to be described belowcorresponds to a case wherein two parallel nonlinear transformationmodules 2 (extended S-boxes in the example) are used in the basicarrangement shown in FIG. 1.

[0237] As in 128-bit block encryption scheme mentioned above, 64-bitblock encryption scheme can improve resiliency against attacks.

[0238] An example of the hierarchical structure of the data diffusionpart of nested encryption is the same as that shown in FIG. 3.

[0239] The block length is 64 bits.

[0240] The key length is 128 bits as an example (of course, the presentinvention are practiced for other block lengths). A case wherein the keylength=64 bits or 96 bits when the block length=64 bits will bedescribed later.

[0241] As an example of the number of stages (a pair of a plurality ofparallel extended S-boxes and a higher-level MDS (the final stage doesnot include any higher-level MDS, as will be described later) is countedas one stage), R=6 is used. Note that the number of stages is basicallynot particularly limited. However, the actual number of stages areappropriately set in consideration of security, computer resources, andthe like, and it is more effective to set six or more stages.

[0242] In encryption of this embodiment, since a stage function includestwo S-box layers, one stage corresponds to two stages in a normalstructure. As for a higher-level MDS in the stage structure, someimplementation examples based on Galois fields will be explained.

[0243]FIG. 28 shows an example of the arrangement of an encryptionapparatus according to this embodiment.

[0244] Reference numeral 2101 denotes each stage; 2104, a higher-levelMDS diffusion layer; 2102, an extended S-box layer; and 2103, individualextended S-boxes. Reference numeral 2105 denotes an EX-OR unit.Reference numerals 2121 to 2124 denote components of a key schedulingpart (details will be described later). Reference symbol P denotes64-bit plaintext as an input; and C, 64-bit ciphertext as an output.Note that each extended S-box 2103 may be the same as the extended S-box103 in FIG. 4.

[0245] The stage function has a structure in which two parallel 32-bitprocessing subblocks (extended S-boxes) 2103 each consisting of atwo-stage SPN structure are juxtaposed, and their outputs are coupled bythe MDS diffusion layer 2104. The overall basic structure is defined byrepetitions of this stage function.

[0246] In the example of FIG. 28, to attain symmetric encryption anddecryption processes, the final stage is constructed by only theextended S-box layer 2102 and a key adder 2105 connected to the outputof the extended S-box layer 2102.

[0247] Since two stages of SPN structures are embedded in one stage ofstage function, and key addition is made at the end of the process, thebit length of an extended key is 2×64×R+64=64(2R+1). When R=6, the bitlength is 128×13 bits.

[0248] Each S-box can use either an input/output table or arithmeticprocess, as described above. An example of the input/output table of the8-bit S-box are the same as that shown in FIG. 5.

[0249] An example of the internal arrangement of the extended S-box 2103is the same as that shown in FIG. 6. The diffusion layer 113 in theextended S-box similarly uses the MDSL matrix shown in FIG. 7, and makesmultiplication while regarding the S-box inputs and outputs and matrixelements as elements of a Galois field GF(2⁸).

[0250] The higher-level structure as the stage function of encryption ofthis example will be explained below.

[0251]FIG. 29 shows an example of the arrangement of the portion for onestage of a randomizing part. The higher-level structure as a stagefunction of encryption of this example is constructed by coupling twoparallel 32-bit extended S-boxes 2103 (see FIG. 6) by a diffusion layer2104 of an MDS matrix. The diffusion layer 2104 in the higher-levelstructure as a stage function also uses an MDS matrix.

[0252] As for the arrangement of the higher-level MDS, methods usingGF(2³²), GF(2⁴), GF(2⁸), and GF(2¹⁶) are available as in the abovedescription.

[0253] The higher-level MDS using GF(2⁴) will be explained.

[0254]FIG. 30 shows an example of an MDS matrix in this case.

[0255] In this case, 1-bit data at corresponding positions (the mostsignificant bits are exemplified in FIG. 30) of the outputs, i.e., 8-bitdata of four S-boxes in one extended S-box 2103 form 4-bit data per set,and two sets of 4-bit data from one extended S-box 2103 are consideredas elements of GF(2⁴).

[0256] A diffusion layer 2104 between two stages of two parallelextended S-box layers 2103 uses 2 (rows)×2 (columns) MDS matrices (e.g.,2104-1 in case of the most significant bits in FIG. 30) at correspondingpositions of 8-bit data.

[0257] The two sets of 4-bit data as outputs are connected tocorresponding positions of corresponding source 8-bit data.

[0258] Eight MDS matrices (2104-1 to 2104-8) are prepared ashigher-level MDS matrices in correspondence with the bit width ofS-boxes.

[0259] By table lookup in units of S-box outputs at correspondingpositions of extended S-boxes (also by arithmetic operations), efficientimplementation that simultaneously processes eight MDS matrices aremade.

[0260] If cyclic MDS matrices are used, an efficient process thatcombines EX-ORing in units of 32 bits and bit rotations in units of 8bits are performed.

[0261] Note that FIG. 30 shows as an example of the higher-level MDSmatrix for the encryption apparatus:

[0262] 1st row, 1st column=5, 1st row, 2nd column=7

[0263] 2nd row, 1st column=A, 2nd row, 2nd column=B

[0264] A corresponding higher-level MDS matrix for the decryptionapparatus is described by:

[0265] 1st row, 1st column=C, 1st row, 2nd column=A

[0266] 2nd row, 1st column=5, 2nd row, 2nd column=B

[0267] Note that the former matrix may be used for decryption, and thelatter may be used for encryption.

[0268] Also, a matrix obtained by substituting rows, substitutingcolumns, and arbitrarily transposing in an arbitrary MDS matrix may beused.

[0269] Furthermore, other higher-level MDS matrices may be used.

[0270] This higher-level MDS diffusion layer are implemented by softwarefor executing transformation by means of a matrix arithmetic operationsor input/output transformation table, but may also be implemented byhardware (an actual circuit formed on, e.g., a semiconductor substrate).

[0271] In order to implement the higher-level MDS using an actualcircuit, a line connection pattern equivalent to an MDS matrix are used.

[0272]FIG. 31 shows line connection expressions (line connectionpatterns) of multiplication over GF(2⁴) in correspondence with elements1 to F of GF(2⁴). Note that a coupled portion calculates an EX-OR.

[0273] More specifically, in each of the diffusion layers 2104-1 to2104-8 in FIG. 30, line connection patterns of a portion for applyingthe 1st row, 1st column element of the MDS matrix to x₁, a portion forapplying the 1st row, 2nd column element to x₂, a portion for applyingthe 2nd row, 1st column element to x₁, and a portion for applying the2nd row, 2nd column element to x₂ can use corresponding line connectionpatterns of the matrix elements in FIG. 31.

[0274]FIG. 32 shows an example of an actual circuit of the higher-levelMDS based on the matrix exemplified in FIG. 30. In FIG. 32, referencenumeral 2141 denotes a line connection pattern corresponding to the 1strow, 1st column element “5”; 2142, a line connection patterncorresponding to the 1st row, 2nd column element “7”; 2143, a lineconnection pattern corresponding to the 2nd row, 1st column element “A”;and 2144, a line connection pattern corresponding to the 2nd row, 2ndcolumn element “B”. At a portion where a plurality of bits are coupled,an EX-OR is calculated.

[0275] After coupling processes by EX-ORing portions corresponding toproducts of the matrix, coupling processes by EX-ORing portionscorresponding the sums of products of the matrix are performed.Alternatively, all such coupling processes by EX-ORing may be performedsimultaneously, or may be divisionally performed in a plurality ofprocesses.

[0276] Also, the following procedure may be taken. That is, desired lineconnection patterns are selected from the line connection pattern groupshown in FIG. 31 to form a candidate of an actual circuit arrangement ofthe higher-level MDS for encryption, and it is then verified if aninverse matrix (MDS matrix) of the corresponding MDS matrix is present.Of course, the matrix for decryption may be determined first.

[0277] Also, expressions other than line connection expressions (lineconnection patterns) of multiplication over GF(2⁴) may be used.

[0278] This method are applied not only to the second embodiment butalso to 128-bit block encryption scheme of the first embodimentmentioned above.

[0279] Renormalization will be described below.

[0280] Fan-in of the MDS diffusion layer will be explained. In the lineconnection patterns shown in FIG. 31, the number of bits (the number ofconnected lines) which is connected to a given bit on the data outputside is called “fan-in”. For example, in a line connection patterncorresponding to “1”, all bits have fan-in=1. On the other hand, in aline connection pattern corresponding to “5”, fan-in=2, 3, 3, and 2 inturn from the left to the right bits.

[0281] A total S of fan-in values of line connection patterns of the MDSdiffusion layer will be examined below. In the example shown in FIG. 32,the total S of fan-in values of 16 bits bounded by the dotted lines 2141to 3144 is 45. The total S of fan-in values of line connection patternsof the MDS diffusion layer is preferably small since it results in anincrease in the number of lines (also an increase in EX-OR arithmeticoperations and the like upon matrix calculations) if it is large. Incase of a 2 (rows)×2 (columns) MDS having elements of GF(2⁴) as itselements, the minimum value of S is 18.

[0282] As a method of reducing S, a renormalization scheme is known.This scheme can reduce the circuit volume (calculation volume uponmaking matrix calculations).

[0283] In order to perform renormalization, pre-processing circuits2180-1 and 2180-2 for renormalization are inserted between each of theMDS diffusion layers 2104-1 to 2104-8 and individual S-boxes on theinput side, as shown in FIG. 33.

[0284] Each pre-processing circuit 2180 has one of the line connectionpatterns shown in FIG. 31 or makes an equivalent calculation process.

[0285]FIG. 33 shows implementation by renormalization using a commonfactor=5 for both the S-boxes. FIG. 34 shows an example of thehigher-level MDS at that time. In this case, the higher-level MDS matrixis described by:

[0286] 1st row, 1st column=1, 1st row, 2nd column=4

[0287] 2nd row, 1st column=2, 2nd row, 2nd column=9

[0288] In FIG. 34, reference numeral 2145 denotes a line connectionpattern corresponding to the 1st row, 1st column element “1”; 2146, aline connection pattern corresponding to the 1st row, 2nd column element“4”; 2147, a line connection pattern corresponding to the 2nd row, 1stcolumn element “2”; and 2148, a line connection pattern corresponding tothe 2nd row, 2nd column element “9”. A portion where a plurality of bitsare coupled corresponds to an EX-OR, as described above. In this case,the value S is 20.

[0289] Higher-level diffusion in FIG. 32 is equivalent to that in FIG.33 or FIG. 34.

[0290] As a method of obtaining a common factor and a matrix at thattime upon making renormalization, for example, matrices that can attainhigher-level diffusion equivalent to that of a matrix obtained withoutrenormalization are obtained using common factors as parameters, andtheir fan-in values are evaluated to select a matrix to be adopted.

[0291] Note that respective S-boxes may or may not be constrained tohave an identical common factor.

[0292] Upon implementation by renormalization for respective S-boxesusing a common factor=B in a matrix described by:

[0293] 1st row, 1st column=C, 1st row, 2nd column=A

[0294] 2nd row, 1st column=5, 2nd row, 2nd column=B a higher-level MDSmatrix is described by:

[0295] 1st row, 1st column=9, 1st row, 2nd column=4

[0296] 2nd row, 1st column=2, 2nd row, 2nd column=1

[0297] of course, this method can also be applied to 128-bit blockencryption scheme mentioned above.

[0298] Note that wiring and layouts exemplified above indicatetheoretical relationships, and actual wiring and layouts have a degreeof freedom in design. Eight portions 2104-1 to 2104-8 of thehigher-level MDS layer may be mounted, or only some (e.g., one, two, orfour) of the MDS portions 2104-1 to 2104-8 may be mounted and they maybe time-divisionally shared.

[0299] The encryption and decryption apparatuses are arranged in thesame way (they have only an inverse transform relationship).

[0300] Based on the same idea as described above, processing may beperformed in units of 2 bits at corresponding positions of 8-bit data,and four 2 (rows)×2 (columns) MDS matrices (GF(2⁸)) having 8-bitelements may be prepared as higher-level MDS matrices. On the otherhand, processing may be performed in units of 4 bits at correspondingpositions of 8-bit data, and two 2 (rows)×2 (columns) MDS matrices(GF(2¹⁶)) having 16-bit elements may be prepared as higher-level MDSmatrices.

[0301] In the above description, bits at corresponding positions areextracted and processed. Alternatively, bits at different positions maybe (exclusively) extracted and processed.

[0302] As in the example shown in FIG. 9, an arrangement based on ahigher-level MDS matrix using GF(2³²) is also possible.

[0303] The aforementioned arrangement examples can also be applied to128-bit block encryption scheme mentioned above.

[0304] As in the above description, in FIG. 28, all the extended S-boxesneed not have the same internal arrangement, and some of them may havedifferent arrangements.

[0305] All the higher-level MDS matrices need not have the same internalarrangement, and some of them may have different arrangements. The sameapplies to lower-level MDS matrices and the input/output tables ofS-boxes.

[0306] For example, the first input stage and last output stage may haveinternal arrangements different from those of the intermediate stages.

[0307] Note that an arrangement for substituting bit positions of aplurality of S-boxes belonging to identical extended S-boxes (orinserting such circuit) at the input and output side of eachhigher-level MDS is also available.

[0308] In addition, various other variations are available.

[0309] Of course, the arrangement of the higher-level MDS described sofar are applied to encryption and decryption apparatuses having variousvariations.

[0310] The key scheduling part (key generator) will be explained below.

[0311]FIG. 35 shows an example of the arrangement of the key schedulingpart. Reference numeral 2121 denotes a portion corresponding to onestage of the stage function of the data diffusion part; 2131, a lineardiffusion layer (in this example, a diffusion layer using a higher-levelMDS matrix); 2132, a nonlinear transformation layer (in this example,two parallel SP layers (S-box layers/diffusion layers)); 2134, an EX-ORunit; and 2135, a remainder adder. Although not shown in FIG. 35, thearrangement of the portion 2121 is repeated as needed. When thearrangement unit that outputs a 64-bit key is defined as one stage ofthe key scheduling part, the number of key scheduling part is (2R+1)(=13 when R=6).

[0312] In the example shown in FIG. 35, 64 bits as the left half of theoutput of each stage of a 128-bit modified Feistel repetitive processare extracted, and a stage number dependent constant C_(i) is addedthereto as a remainder to obtain an extended key.

[0313] When the key length is 128 bits, for example, the upper 64 bitsare input to the linear diffusion layer 2131 of the first stage, and thelower 64 bits are input to the nonlinear transformation layer 2132. Whenthe key length is 64 bits, for example, the 64 bits are input to thelinear diffusion layer 2131 of the first stage, and also to thenonlinear transformation layer 2132. When the key length is 96 bits (=32bits×3), for example, the 64 bits obtained by coupling the upper 32 bitsand the intermediate 32 bits are input to the linear diffusion layer2131 of the first stage, and 64 bits obtained by coupling the upper 32bits and the lower 32 bits are input to the nonlinear transformationlayer 2132.

[0314] Note that the location of the remainder adder 136 that adds thestage number dependent constant C_(i) as a remainder may have variousvariations, as shown in FIG. 36.

[0315] An example of the arrangement of each nonlinear transformationlayer 2132 in FIGS. 35 and 36 is the same as that in FIGS. 13 and 14 (asin FIG. 14, constant to be EX-ORed with the input to each S-box may be astage number dependent constant). Also, the S-box may be either the sameas or different from that for the encryption processing shown in FIG.28. The S-boxes and lower-level MDS may have different arrangements inunits of stages of the key scheduling An example of a method ofgenerating different constants C_(i) in individual stages will beexplained below.

[0316] The 64-bit additive constant C_(i) of the key scheduling part inFIGS. 35 and 36 are described by a combination of four bit constants(H₀, H₁, H₂, H₃). Examples of 32-bit constants H_(i) are:

H ₀=(5A827999)_(H)=└({square root}{square root over ( )}2/4×2³²)┘

H ₁=(6ED9EBA1)_(H)=┘({square root}{square root over ( )}3/4×2³²)┘

H ₂=(8F1BBCDC)_(H)=└({square root}{square root over ( )}5/4×² ³²)┘

H ₃=(CA62C1D6)_(H)=└({square root}{square root over ( )}10/4×2³²)┘

[0317] A combination of additive constants C_(i) is described byC_(i)=(C_(i0), C_(i1)). In order to allow easy generation of different64-bit constants C_(i) in individual stages, 8-bit LFSR is used todetermine a combination of H_(i) which form C_(i). For example, (1D)_(H)is used in the primitive polynomial of LFSR, and (8B)_(H) is used in theinitial state of LFSR. A bit sequence generated using the LFSR is readout in units of 2 bits to determine a 32-bit constant H_(i) used as theconstant.

[0318]FIG. 37 shows an example of an additive constant table determinedusing the LFSR by the aforementioned method.

[0319] Note that the initial state of LFSR may be variable or fixed. Inthe former case, the initial state of LFSR partially defines the key. Inthe latter case, only a decryption apparatus having the same initialstate of LFSR as that in the encryption apparatus can decrypt theciphertext.

[0320] According to the aforementioned key scheduling part, in thenonlinear transformation layer, when 1 bit of the input has changed, theS-boxes can spread that change to 8 bits, and the lower-level MDS canspread the change to 32 bits. Furthermore, in the linear diffusionlayer, since the higher-level MDS largely diffuses the output from thenonlinear transformation layer of the previous state, a 1-bit differenceare spread to the 64-bit width.

[0321] Therefore, according to the key scheduling part, the respectivestages can easily generate, i.e., diffuse random keys. Since differentconstants are used in units of stages, keys rarely match among stages(keys nearly do not match).

[0322] Note that the key scheduling part may have another arrangement.

[0323] Note that the linear diffusion device and Galois field multiplierthat have been explained with reference to FIGS. 16 to 18 can also beapplied to this case.

[0324] The MDS matrix generation section (or random generationalgorithm) that has been explained with reference to FIGS. 19 to 22 canalso be applied to this case.

[0325] Of course, the design method of a combination of S-box and MDSthat has been explained with reference to FIG. 23 can also be applied tothis case.

[0326] The decryption apparatus will be explained below.

[0327] The decryption apparatus basically has a structure obtained byreversing that of the encryption apparatus (the same key is used).

[0328]FIG. 38 shows an example of the arrangement of a decryptionapparatus corresponding to the encryption apparatus shown in FIG. 28.

[0329]FIG. 39 shows another example of the structure of one stage of theinverse transform of the data randomizing part of FIG. 28 which stagecorresponds to that shown in FIG. 29.

[0330] An example of the arrangement corresponding to the lower-levelstructure (see FIG. 6) in FIG. 28 is the same as that shown in FIG. 25.

[0331] In FIG. 38, a key scheduling part of the decryption apparatus hasthe same arrangement as that of the encryption apparatus shown in FIG.28.

[0332] The input/output table of each S-box (see 1112 in FIG. 25), alower-level MDS matrix of each lower-level MDS (see 1113 in FIG. 25),and a higher-level MDS matrix of a higher-level MDS 3104 are inversefunctions (inverse matrices) of the input/output table of each S-box(see 1112 in FIG. 6), the lower-level MDS matrix of each lower-level MDS(see 113 in FIG. 6), and the higher-level MDS matrix of the higher-levelMDS 3104 in the encryption apparatus.

[0333] In FIG. 38, the key is generated in the same order as in FIG. 28,but may be generated in an order opposite to FIG. 28.

[0334]FIG. 40 shows an example of the arrangement of the key schedulingpart in such case.

[0335] Reference numeral 3132 denotes inverse transform of the nonlineartransformation layer 2132 of FIG. 35 (including four parallel inversetransforms of SP layers 2133 (e.g., the inputs and outputs in FIG. 13 orFIG. 14 are reversed)).

[0336] The input/output table of each S-box, lower-level MDS matrix, andhigher-level MDS matrix used in the key scheduling part shown in FIG. 40are inverse functions (inverse matrices) of those used in the keyscheduling part in FIG. 35.

[0337] Assume that a decryption key input K′ in FIG. 40 is the key usedin the last key addition in FIG. 28 (for encryption).

[0338] In this case as well, various variations of the locations wherethe stage number dependent constants C_(i) are added as remainders areavailable in addition to the same method as in FIG. 36.

[0339] In the above description, 128-bit block encryption scheme and64-bit block encryption scheme have been exemplified, but the presentinvention are applied to block encryption scheme of other bit lengths.

[0340] The hardware arrangement and software arrangement of thisembodiment will be explained below.

[0341] The encryption and decryption apparatuses of this embodiment areimplemented by either hardware or software.

[0342] Upon software implementation, this embodiment are applied to acomputer readable recording medium which records a program whichimplements the encryption or decryption apparatus and makes a computerexecute predetermined means (or makes a computer function aspredetermined means, or makes a computer implement predeterminedfunctions).

[0343] Upon hardware implementation, the encryption or decryptionapparatus are formed as a semiconductor device.

[0344] When an encryption or decryption apparatus to which the presentinvention is applied is constructed, or when an encryption or decryptionprogram is prepared, all blocks or modules exemplified in FIGS. 4 and 24may be individually created. Alternatively, one or an appropriate numberof blocks or modules having identical arrangement may be prepared, andmay be shared (commonly used) by respective portions of the algorithm.

[0345] In case of software implementation, multi-processors may be usedto execute parallel processes, thus achieving high-speed processing.

[0346] Note that an apparatus which has an encryption function but nodecryption function, an apparatus which has a decryption function but noencryption function, or an apparatus which has both the encryption anddecryption functions are constructed. Likewise, a program which has anencryption function but no decryption function, a program which has adecryption function but no encryption function, or a program which hasboth the encryption and decryption functions are prepared.

[0347] Applications of this embodiment to systems will be explainedbelow.

[0348] The encryption system of this embodiment are basically applied toevery systems.

[0349] For example, as shown in FIG. 41, a key is securely sharedbetween a transmitting apparatus 301 and receiving apparatus 303 by apredetermined method or procedure. The transmitting apparatus 301encrypts transmission data in units of block length by the encryptionsystem of this embodiment, and transmits encrypted data to the receivingapparatus 303 via a communication network 302 in accordance with apredetermined protocol. Upon receiving encrypted data, the receivingapparatus 303 decrypts the received encrypted data in units of blocklengths by the encryption system of this embodiment to reproduceoriginal plaintext. Note that when these apparatuses have both theencryption and decryption functions, they can make two-way encryptioncommunications.

[0350] For example, as shown in FIG. 42, a computer 311 generates a keyby a predetermined method, encrypts data to be saved in units of blocklengths by the encryption system of this embodiment, and saves theencrypted data in a data server 313 via a predetermined network (e.g., aLAN, Internet, or the like) 314. Upon reading the saved data, thecomputer 311 reads desired encrypted data from the data server 313, anddecrypts the read data in units of block lengths by the encryptionsystem of this embodiment to reproduce original plaintext. If anothercomputer 312 knows this key, it can similarly decrypt and reproduceplaintext. However, other computers which do not know the key cannotdecrypt the encrypted data, thus achieving security control ofinformation.

[0351] For example, as shown in FIG. 43, for the contents provider, anencryption apparatus 321 encrypts given contents using a given key inunits of block lengths by the encryption system of this embodiment,records the encrypted contents in recording media 322, and deliversthese media to users. The user who acquired the recording medium 322acquires the key by a predetermined method, and decrypts the contents inunits of block lengths by the encryption system of this embodiment usinga decryption apparatus 323, thus browsing or playing back the contents.

[0352] Also, the present invention are applied to various other systems.

[0353] Note that the arrangements described in this embodiment aremerely examples, and do not exclude other arrangements, and otherarrangements obtained by replacing some components of the exemplifiedarrangement by other ones, omitting some components of the exemplifiedarrangement, adding other functions to the exemplified arrangement, orcombining them are also available. Also, another arrangementtheoretically equivalent to the exemplified arrangement, anotherarrangement including portions theoretically equivalent to theexemplified arrangement, another arrangement theoretically equivalent toprincipal part of the exemplified arrangement, and the like areavailable. Furthermore, another arrangement that achieves the same orsimilar objects as or to that of the exemplified arrangement, anotherarrangement that can provide the same or similar effects as or to thoseof the exemplified arrangement, and the like are available.

[0354] Additional advantages and modifications will readily occur tothose skilled in the art. Therefore, the invention in its broaderaspects is not limited to the specific details and representativeembodiments shown and described herein. Accordingly, variousmodifications may be made without departing from the spirit or scope ofthe general inventive concept as defined by the appended claims andtheir equivalents.

What is claimed is:
 1. An apparatus for encrypting block data,comprising: a first processing unit configured to randomize the blockdata in units of first portions obtained by dividing the block data; anda second processing unit configured to diffuse the block data outputfrom said first processing unit with respect to a second portion of theblock data which is wider than the first portion.
 2. The apparatusaccording to claim 1 , wherein said first processing unit comprisesfirst nonlinear processing units configured to respectively nonlinearlytransform the block data in units of the first portions; said secondprocessing unit comprises a first linear diffusion processing unitconfigured to linearly diffuse the second portion of the block data; andat least one of said first nonlinear processing units comprises: secondnonlinear processing units configured to nonlinearly transform the blockdata in units of the first portions; and a second linear diffusionprocessing unit configured to linearly diffuse the second portion of theblock data.
 3. The apparatus according to claim 2 , wherein said firstlinear diffusion processing unit performs an arithmetic operation usinga Maximum Distance Separable matrix.
 4. The apparatus according to claim3 , wherein only predetermined lower bits of all elements of saidMaximum Distance Separable matrix are nonzero.
 5. The apparatusaccording to claim 3 , wherein all elements on one row of said MaximumDistance Separable matrix have different values.
 6. The apparatusaccording to claim 3 , wherein said first linear diffusion processingunit includes a Maximum Distance Separable matrix to which are suppliedcorresponding bits of the first portions of the block data.
 7. Theapparatus according to claim 2 , wherein said second linear diffusionprocessing unit performs an arithmetic operation using a MaximumDistance Separable matrix.
 8. The apparatus according to claim 1 ,further comprising: a key generation section configured to generate keydata depending on the number of stages, said key generation sectioncomprising key generators connected in series, each of said keygenerators comprising a first circuit configured to nonlinearlytransform an output of a preceding generator, a second circuitconfigured to nonlinearly transform an output of a generator whichprecedes said preceding generator, and a third circuit configured toEX-OR outputs of said first and second circuits.
 9. An apparatus forencrypting block data, comprising: stage sections connected in series,each of said stage section comprising four first nonlinear processingunits and a first linear diffusion processing unit, said four firstnonlinear processing units configured to receive input 128-bit plaintextblock data at a first stage or 128-bit block data processed by apreceding stage at a second and subsequent stages, and linearly diffuseand nonlinearly transform four sets of 32-bit data obtained by dividingthe 128-bit block data, and said first linear diffusion processing unitconfigured to linearly diffuse 128-bit block data obtained by couplingthe four sets of 32-bit data output from said four first nonlinearprocessing units using a Maximum Distance Separable matrix; four secondnonlinear processing units connected to the last stage of said stagesections and configured to linearly diffuse and nonlinearly transformfour sets of 32-bit data obtained by dividing the 128-bit block data;and a first key addition section connected to said four second nonlinearprocessing units configured to add 128-bit key data to 128-bit blockdata obtained by coupling the four sets of 32-bit data output from saidfour second nonlinear processing units; and each of said first nonlinearprocessing units and second nonlinear processing units comprising: foursecond key addition sections configured to add 8-bit key data to foursets of 8-bit data obtained by dividing one of the four sets of 32-bitdata; four second nonlinear processing units configured to nonlinearlytransform outputs of said four second key addition sections by using aninput/output table of 8-bit; a second diffusion processing unitconfigured to linearly diffuse 32-bit data obtained by coupling foursets of 8-bit data output from said four second nonlinear processingunits using a Maximum Distance Separable matrix; and four third keyaddition sections which are the same as said second key additionsections and a third nonlinear processing unit, which are connected tosaid second diffusion processing unit.
 10. An apparatus for encryptingblock data, comprising: stage sections connected in series, each of saidstage section comprising two first nonlinear processing units and afirst linear diffusion processing unit, said two first nonlinearprocessing units configured to receive input 64-bit plaintext block dataat a first stage or 64-bit block data processed by a preceding stage ata second and subsequent stages, and linearly diffuse and nonlinearlytransform two sets of 32-bit data obtained by dividing the 64-bit blockdata, and said first linear diffusion processing unit configured tolinearly diffuse 64-bit block data obtained by coupling the two sets of32-bit data output from said two first nonlinear processing units usinga Maximum Distance Separable matrix; two second nonlinear processingunits connected to the last stage of said stage sections and configuredto linearly diffuse and nonlinearly transform two sets of 32-bit dataobtained by dividing the 64-bit block data; and a first key additionsection connected to said two second nonlinear processing unitsconfigured to add 64-bit key data to 64-bit block data obtained bycoupling the two sets of 32-bit data output from said two secondnonlinear processing units; and each of said first nonlinear processingunits and second nonlinear processing units comprising: two second keyaddition sections configured to add 8-bit key data to two sets of 8-bitdata obtained by dividing one of the two sets of 32-bit data; two secondnonlinear processing units configured to nonlinearly transform outputsof said two second key addition sections by using an input/output tableof 8-bit; a second diffusion processing unit configured to linearlydiffuse 32-bit data obtained by coupling two sets of 8-bit data outputfrom said two second nonlinear processing units using a Maximum DistanceSeparable matrix; and two third key addition sections which are the sameas said second key addition sections and a third nonlinear processingunit, which are connected to said second diffusion processing unit. 11.An article of manufacture comprising a computer usable medium havingcomputer readable program code means embodied therein, the computerreadable program code means comprising: first computer readable programcode means for causing a computer to randomize the block data in unitsof first portions obtained by dividing the block data; and secondcomputer readable program code means for causing a computer to diffusethe block data output from said first processing unit with respect to asecond portion of the block data which is wider than the first portion.12. The article of manufacture according to claim 11 , wherein saidfirst computer readable program code means performs a nonlineartransformation processing with respect to the block data in units of thefirst portions; said second computer readable program code meansperforms a linear diffusion processing with respect to the secondportion of the block data; and said nonlinear transformation processingcomprises: a nonlinear transformation of the block data in units of thefirst portions; and a linear diffusion of the second portion of theblock data.
 13. An method of encrypting block data, comprising:randomizing the block data in units of first portions obtained bydividing the block data; and diffusing the randomized block data withrespect to a second portion of the block data which is wider than thefirst portion.
 14. The method according to claim 13 , wherein saidrandomizing comprises a nonlinear transformation of the block data inunits of the first portions; said diffusing comprises a linear diffusionof the second portion of the block data; and said nonlinearlytransformation comprises: a nonlinear transformation of the block datain units of the first portions; and a linear diffusion of the secondportion of the block data.
 15. An apparatus for decrypting encryptedblock data, comprising: a first processing unit configured to randomizethe encrypted block data in units of first portions obtained by dividingthe encrypted block data; and a second processing unit configured todiffuse the encrypted block data output from said first processing unitwith respect to a second portion of the encrypted block data which iswider than the first portion.
 16. The apparatus according to claim 15 ,wherein said first processing unit comprises first nonlinear processingunits configured to respectively nonlinearly transform the encryptedblock data in units of the first portions; said second processing unitcomprises a first linear diffusion processing unit configured tolinearly diffuse the second portion of the encrypted block data; and atleast one of said first nonlinear processing units comprises: secondnonlinear processing units configured to nonlinearly transform theencrypted block data in units of the first portions; and a second lineardiffusion processing unit configured to linearly diffuse the secondportion of the encrypted block data.
 17. An article of manufacturecomprising a computer usable medium having computer readable programcode means embodied therein, the computer readable program code meanscomprising: first computer readable program code means for causing acomputer to randomize the encrypted block data in units of firstportions obtained by dividing the encrypted block data; and secondcomputer readable program code means for causing a computer to diffusethe encrypted block data output from said first processing unit withrespect to a second portion of the encrypted block data which is widerthan the first portion.
 18. The article of manufacture according toclaim 17 , wherein said first computer readable program code meansperforms a nonlinear transformation processing with respect to theencrypted block data in units of the first portions; said secondcomputer readable program code means performs a linear diffusionprocessing with respect to the second portion of the encrypted blockdata; and said nonlinear transformation processing comprises: anonlinear transformation of the encrypted block data in units of thefirst portions; and a linear diffusion of the second portion of theencrypted block data.
 19. An method of decrypting encrypted block data,comprising: randomizing the encrypted block data in units of firstportions obtained by dividing the encrypted block data; and diffusingthe randomized encrypted block data with respect to a second portion ofthe encrypted block data which is wider than the first portion.
 20. Themethod according to claim 19 , wherein said randomizing comprises anonlinear transformation of the encrypted block data in units of thefirst portions; said diffusing comprises a linear diffusion of thesecond portion of the encrypted block data; and said nonlinearlytransformation comprises: a nonlinear transformation of the encryptedblock data in units of the first portions; and a linear diffusion of thesecond portion of the encrypted block data.
 21. An arithmetic operationdevice for a block data encryption apparatus which device diffuses blockdata using a Maximum Distance Separable matrix, the device comprising: amultiplier configured to multiply corresponding bits of first portionsobtained by dividing the block data and an element of the MaximumDistance Separable matrix without feeding back an overflow; a lookuptable configured to store data indicating a relation betweenpredetermined upper bits and a return word for adjusting the overflow;and an EX-OR circuit configured to read out the return word based on thepredetermined upper bits and EX-OR the read return word and an output ofthe multiplier.